What is an envelope sender?

An email has two addresses associated with sending it: the envelope sender, and the From: address. The envelope sender is where computers should respond (in the case of bounce messages or errors); the From: address is where people should respond. In most cases, the envelope sender and the From: address match. But they don't always, and they don't have to.

In terms of how it is sent, email is like a package. On the box (that is, during the SMTP transaction), I specify where I want the package sent, and where it should be returned if it could not be delivered.

If this were personal mail, these things would nearly always match -- if you got a package addressed to you, with your Aunt Martha's return address, the card inside the box is almost certainly going to addressed to you, from Aunt Martha. In personal email, the envelope sender (the return address) nearly always matches the From: header.

Things are a little different from a corporation. If you got a box from Amazon, it might be something you ordered. Amazon might have one return address that they use for packages that are undelivered (the return address on the outside of the box), but inside the box, they might ask you to make returns to a different address. Or, it might be a gift that someone bought for you from Amazon. Amazon shipped it, but the package is really from Aunt Martha. With email, There are similar legitimate reasons why a envelope sender might not match the From: header, like a mailing list or a company that does automated bounce processing.

Unfortunately, this is a "feature" of email that spammers and scammers can and do abuse. When you get a message picked up as spam that's "from" PayPal, or your bank, or another trusted institution, they've generally changed the From: address to be at a domain you recognize, while leaving the envelope sender as something they control.